From 8c1a6ad05b70ed83be7b884317489186961fc589 Mon Sep 17 00:00:00 2001
From: Ferywir <65760459+Ferywir@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:25:18 +0200
Subject: [PATCH] fix(admin): render a proper error page instead of a blank
page on denial [#299] (#307)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('
Access Denied
') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.
Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.
This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.
Co-authored-by: Claude Opus 4.8
---
GameEngine/Admin/Mods/addABTroops.php | 4 +-
GameEngine/Admin/Mods/addTroops.php | 4 +-
GameEngine/Admin/Mods/addUsers.php | 4 +-
GameEngine/Admin/Mods/additional.php | 4 +-
GameEngine/Admin/Mods/cp.php | 6 ++-
GameEngine/Admin/Mods/delAli.php | 6 ++-
GameEngine/Admin/Mods/delUser.php | 6 ++-
GameEngine/Admin/Mods/delallymedal.php | 6 ++-
GameEngine/Admin/Mods/delallymedalbyaid.php | 6 ++-
GameEngine/Admin/Mods/delallymedalbyweek.php | 6 ++-
GameEngine/Admin/Mods/deletemedalbyweek.php | 6 ++-
GameEngine/Admin/Mods/editAccess.php | 6 ++-
GameEngine/Admin/Mods/editAli.php | 6 ++-
GameEngine/Admin/Mods/editBuildings.php | 4 +-
GameEngine/Admin/Mods/editHero.php | 4 +-
GameEngine/Admin/Mods/editOverall.php | 6 ++-
GameEngine/Admin/Mods/editPassword.php | 6 ++-
GameEngine/Admin/Mods/editPlus.php | 4 +-
GameEngine/Admin/Mods/editProtection.php | 6 ++-
GameEngine/Admin/Mods/editResources.php | 6 ++-
GameEngine/Admin/Mods/editSitter.php | 6 ++-
GameEngine/Admin/Mods/editUser.php | 6 ++-
GameEngine/Admin/Mods/editUsername.php | 6 ++-
GameEngine/Admin/Mods/editVillageOwner.php | 6 ++-
GameEngine/Admin/Mods/editWeek.php | 6 ++-
GameEngine/Admin/Mods/givePlus.php | 4 +-
GameEngine/Admin/Mods/givePlusRes.php | 6 ++-
GameEngine/Admin/Mods/giveResBonus.php | 6 ++-
GameEngine/Admin/Mods/gold.php | 6 ++-
GameEngine/Admin/Mods/gold_1.php | 6 ++-
GameEngine/Admin/Mods/mainteneceBan.php | 6 ++-
.../Admin/Mods/mainteneceCleanBanData.php | 6 ++-
GameEngine/Admin/Mods/mainteneceResetGold.php | 6 ++-
GameEngine/Admin/Mods/mainteneceResetPlus.php | 6 ++-
.../Admin/Mods/mainteneceResetPlusBonus.php | 6 ++-
GameEngine/Admin/Mods/mainteneceUnban.php | 6 ++-
GameEngine/Admin/Mods/massmessage.php | 4 +-
GameEngine/Admin/Mods/medals.php | 4 +-
GameEngine/Admin/Mods/recalcWH.php | 6 ++-
GameEngine/Admin/Mods/renameVillage.php | 6 ++-
GameEngine/Admin/Mods/sendMessage.php | 4 +-
GameEngine/Admin/Mods/sysmessage.php | 4 +-
GameEngine/Admin/csrf.php | 51 ++++++++++++++++++-
43 files changed, 205 insertions(+), 74 deletions(-)
diff --git a/GameEngine/Admin/Mods/addABTroops.php b/GameEngine/Admin/Mods/addABTroops.php
index d3f74100..89b14d63 100755
--- a/GameEngine/Admin/Mods/addABTroops.php
+++ b/GameEngine/Admin/Mods/addABTroops.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/addTroops.php b/GameEngine/Admin/Mods/addTroops.php
index 097a28fa..80b540e4 100755
--- a/GameEngine/Admin/Mods/addTroops.php
+++ b/GameEngine/Admin/Mods/addTroops.php
@@ -12,11 +12,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die(defined('ACCESS_DENIED_ADMIN') ? ACCESS_DENIED_ADMIN : 'Access Denied: You are not Admin!');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/addUsers.php b/GameEngine/Admin/Mods/addUsers.php
index d90d8ed4..fcd86ff7 100755
--- a/GameEngine/Admin/Mods/addUsers.php
+++ b/GameEngine/Admin/Mods/addUsers.php
@@ -28,12 +28,14 @@ include_once($autoprefix."GameEngine/Database.php");
// Admin-rank guard (defense-in-depth). Reaching any file under /Admin already
// requires an admin session: Session.php's checkLogin() gates the whole /Admin
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
// path on $_SESSION['admin_username'], so a plain player session is bounced to
// login.php before this point. This re-check aligns addUsers with its sibling
// Mods (gold.php, cp.php, editResources.php, ...), which all assert the rank
// here too; it is a redundant safety net, not the sole guard.
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/additional.php b/GameEngine/Admin/Mods/additional.php
index 0a7bf77d..a7ab0bb9 100755
--- a/GameEngine/Admin/Mods/additional.php
+++ b/GameEngine/Admin/Mods/additional.php
@@ -18,8 +18,10 @@
include_once("../../config.php");
include_once("../../Database.php");
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if(($_SESSION['access']?? 0) < ADMIN) die("Access Denied: You are not Admin!");
+if(($_SESSION['access']?? 0) < ADMIN) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
diff --git a/GameEngine/Admin/Mods/cp.php b/GameEngine/Admin/Mods/cp.php
index d7f0de1b..cc937fb0 100755
--- a/GameEngine/Admin/Mods/cp.php
+++ b/GameEngine/Admin/Mods/cp.php
@@ -8,8 +8,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
-if($sessionaccess != 9) die("
Access Denied: You are not Admin!
");
+if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET cp = cp + ".(int) $_POST['cp']." WHERE id = ".$id."");
diff --git a/GameEngine/Admin/Mods/delAli.php b/GameEngine/Admin/Mods/delAli.php
index a9b1495f..1f53ae8f 100644
--- a/GameEngine/Admin/Mods/delAli.php
+++ b/GameEngine/Admin/Mods/delAli.php
@@ -9,9 +9,11 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -47,7 +49,7 @@ if ($aid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/delUser.php b/GameEngine/Admin/Mods/delUser.php
index c15dbed7..09eb22fe 100644
--- a/GameEngine/Admin/Mods/delUser.php
+++ b/GameEngine/Admin/Mods/delUser.php
@@ -9,9 +9,11 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -48,7 +50,7 @@ if ($uid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
if (!password_verify($pass, $admin['password'])) {
die('');
diff --git a/GameEngine/Admin/Mods/delallymedal.php b/GameEngine/Admin/Mods/delallymedal.php
index 39743b7c..ed893c29 100755
--- a/GameEngine/Admin/Mods/delallymedal.php
+++ b/GameEngine/Admin/Mods/delallymedal.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -52,7 +54,7 @@ if ($delete <= 0 || $aid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/delallymedalbyaid.php b/GameEngine/Admin/Mods/delallymedalbyaid.php
index b924b67d..fb833aa8 100755
--- a/GameEngine/Admin/Mods/delallymedalbyaid.php
+++ b/GameEngine/Admin/Mods/delallymedalbyaid.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($aid <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/delallymedalbyweek.php b/GameEngine/Admin/Mods/delallymedalbyweek.php
index 815ac131..a7bedca7 100755
--- a/GameEngine/Admin/Mods/delallymedalbyweek.php
+++ b/GameEngine/Admin/Mods/delallymedalbyweek.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/deletemedalbyweek.php b/GameEngine/Admin/Mods/deletemedalbyweek.php
index 0d6c3c77..786ee12e 100755
--- a/GameEngine/Admin/Mods/deletemedalbyweek.php
+++ b/GameEngine/Admin/Mods/deletemedalbyweek.php
@@ -9,11 +9,13 @@
## ##
##################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editAccess.php b/GameEngine/Admin/Mods/editAccess.php
index 8c895081..36880f0a 100755
--- a/GameEngine/Admin/Mods/editAccess.php
+++ b/GameEngine/Admin/Mods/editAccess.php
@@ -8,8 +8,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
-if($sessionaccess != 9) die("
Access Denied: You are not Admin!
");
+if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Cast + whitelist the access level. $_POST['access'] was injected raw into
// the UPDATE below (SQL injection). Only accept the values the admin form
diff --git a/GameEngine/Admin/Mods/editAli.php b/GameEngine/Admin/Mods/editAli.php
index 5be73a44..9d97df1c 100644
--- a/GameEngine/Admin/Mods/editAli.php
+++ b/GameEngine/Admin/Mods/editAli.php
@@ -9,11 +9,13 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($aid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editBuildings.php b/GameEngine/Admin/Mods/editBuildings.php
index 12c4e23d..7e56185e 100755
--- a/GameEngine/Admin/Mods/editBuildings.php
+++ b/GameEngine/Admin/Mods/editBuildings.php
@@ -11,11 +11,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/editHero.php b/GameEngine/Admin/Mods/editHero.php
index 4bd8fd1d..a352b3f8 100755
--- a/GameEngine/Admin/Mods/editHero.php
+++ b/GameEngine/Admin/Mods/editHero.php
@@ -11,11 +11,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/editOverall.php b/GameEngine/Admin/Mods/editOverall.php
index bf7e744d..5b1fcf7b 100755
--- a/GameEngine/Admin/Mods/editOverall.php
+++ b/GameEngine/Admin/Mods/editOverall.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editPassword.php b/GameEngine/Admin/Mods/editPassword.php
index 0dced632..5526b4ab 100755
--- a/GameEngine/Admin/Mods/editPassword.php
+++ b/GameEngine/Admin/Mods/editPassword.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0 || $newpw === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editPlus.php b/GameEngine/Admin/Mods/editPlus.php
index f7c35d7b..e8281195 100755
--- a/GameEngine/Admin/Mods/editPlus.php
+++ b/GameEngine/Admin/Mods/editPlus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/editProtection.php b/GameEngine/Admin/Mods/editProtection.php
index e0e149b3..6ef76523 100755
--- a/GameEngine/Admin/Mods/editProtection.php
+++ b/GameEngine/Admin/Mods/editProtection.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editResources.php b/GameEngine/Admin/Mods/editResources.php
index 0efa76b4..0e2a7c09 100755
--- a/GameEngine/Admin/Mods/editResources.php
+++ b/GameEngine/Admin/Mods/editResources.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editSitter.php b/GameEngine/Admin/Mods/editSitter.php
index 33eb0a47..0bf0679a 100755
--- a/GameEngine/Admin/Mods/editSitter.php
+++ b/GameEngine/Admin/Mods/editSitter.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editUser.php b/GameEngine/Admin/Mods/editUser.php
index 5c74bd96..0f0102da 100755
--- a/GameEngine/Admin/Mods/editUser.php
+++ b/GameEngine/Admin/Mods/editUser.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editUsername.php b/GameEngine/Admin/Mods/editUsername.php
index 6ae99ace..3b7da256 100755
--- a/GameEngine/Admin/Mods/editUsername.php
+++ b/GameEngine/Admin/Mods/editUsername.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($uid <= 0 || $session <= 0 || $username === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editVillageOwner.php b/GameEngine/Admin/Mods/editVillageOwner.php
index cfb40b37..2ec5bdd7 100755
--- a/GameEngine/Admin/Mods/editVillageOwner.php
+++ b/GameEngine/Admin/Mods/editVillageOwner.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($did <= 0 || $session <= 0 || $newowner <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editWeek.php b/GameEngine/Admin/Mods/editWeek.php
index 3a2a5fe9..058ba382 100755
--- a/GameEngine/Admin/Mods/editWeek.php
+++ b/GameEngine/Admin/Mods/editWeek.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/givePlus.php b/GameEngine/Admin/Mods/givePlus.php
index 34cae608..875db864 100755
--- a/GameEngine/Admin/Mods/givePlus.php
+++ b/GameEngine/Admin/Mods/givePlus.php
@@ -11,11 +11,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/givePlusRes.php b/GameEngine/Admin/Mods/givePlusRes.php
index b67ff9c7..fb7add95 100755
--- a/GameEngine/Admin/Mods/givePlusRes.php
+++ b/GameEngine/Admin/Mods/givePlusRes.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
$wood = (int)($_POST['wood'] ?? 0) * 86400;
diff --git a/GameEngine/Admin/Mods/giveResBonus.php b/GameEngine/Admin/Mods/giveResBonus.php
index f8cc0763..9d4fbdc6 100755
--- a/GameEngine/Admin/Mods/giveResBonus.php
+++ b/GameEngine/Admin/Mods/giveResBonus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/gold.php b/GameEngine/Admin/Mods/gold.php
index 12ba52c0..4d35c8aa 100755
--- a/GameEngine/Admin/Mods/gold.php
+++ b/GameEngine/Admin/Mods/gold.php
@@ -10,8 +10,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -41,7 +43,7 @@ if($amount == 0){
// verificare admin
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
$acc = mysqli_fetch_assoc($check);
-if(!$acc || $acc['access'] != 9) die("
Access Denied
");
+if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// 1. UPDATE gold la toți (id > 3 = sare peste Natars etc)
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id > 3") or die(mysqli_error($GLOBALS["link"]));
diff --git a/GameEngine/Admin/Mods/gold_1.php b/GameEngine/Admin/Mods/gold_1.php
index 51846dc2..435dd4df 100755
--- a/GameEngine/Admin/Mods/gold_1.php
+++ b/GameEngine/Admin/Mods/gold_1.php
@@ -12,8 +12,10 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -35,7 +37,7 @@ if($id <= 0 || $amount == 0){
// verificare admin
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
$acc = mysqli_fetch_assoc($check);
-if(!$acc || $acc['access'] != 9) die("
Access Denied
");
+if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// 1. UPDATE GOLD
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id = $id") or die(mysqli_error($GLOBALS["link"]));
diff --git a/GameEngine/Admin/Mods/mainteneceBan.php b/GameEngine/Admin/Mods/mainteneceBan.php
index 808dde38..3ebf9688 100755
--- a/GameEngine/Admin/Mods/mainteneceBan.php
+++ b/GameEngine/Admin/Mods/mainteneceBan.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceCleanBanData.php b/GameEngine/Admin/Mods/mainteneceCleanBanData.php
index 93ff78f7..758a68c8 100755
--- a/GameEngine/Admin/Mods/mainteneceCleanBanData.php
+++ b/GameEngine/Admin/Mods/mainteneceCleanBanData.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -42,7 +44,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceResetGold.php b/GameEngine/Admin/Mods/mainteneceResetGold.php
index 91119b7c..222fa089 100755
--- a/GameEngine/Admin/Mods/mainteneceResetGold.php
+++ b/GameEngine/Admin/Mods/mainteneceResetGold.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceResetPlus.php b/GameEngine/Admin/Mods/mainteneceResetPlus.php
index 6030bade..66743a62 100755
--- a/GameEngine/Admin/Mods/mainteneceResetPlus.php
+++ b/GameEngine/Admin/Mods/mainteneceResetPlus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php b/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php
index 3e923003..4b3a387c 100755
--- a/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php
+++ b/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceUnban.php b/GameEngine/Admin/Mods/mainteneceUnban.php
index 9728c7b0..c702fd70 100755
--- a/GameEngine/Admin/Mods/mainteneceUnban.php
+++ b/GameEngine/Admin/Mods/mainteneceUnban.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/massmessage.php b/GameEngine/Admin/Mods/massmessage.php
index 0a5536e2..094f0206 100644
--- a/GameEngine/Admin/Mods/massmessage.php
+++ b/GameEngine/Admin/Mods/massmessage.php
@@ -11,13 +11,15 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
session_start();
include_once("../../config.php");
include_once("../../Database.php");
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
- die("Access Denied");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/medals.php b/GameEngine/Admin/Mods/medals.php
index b332d972..c4f93324 100755
--- a/GameEngine/Admin/Mods/medals.php
+++ b/GameEngine/Admin/Mods/medals.php
@@ -9,8 +9,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
diff --git a/GameEngine/Admin/Mods/recalcWH.php b/GameEngine/Admin/Mods/recalcWH.php
index 5c29ad86..fe3e48ea 100755
--- a/GameEngine/Admin/Mods/recalcWH.php
+++ b/GameEngine/Admin/Mods/recalcWH.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -45,7 +47,7 @@ $id = (int)($_POST['id'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
if ($id <= 0) {
diff --git a/GameEngine/Admin/Mods/renameVillage.php b/GameEngine/Admin/Mods/renameVillage.php
index e17a94c6..5b99143d 100755
--- a/GameEngine/Admin/Mods/renameVillage.php
+++ b/GameEngine/Admin/Mods/renameVillage.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($did <= 0 || $nameOrig === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/sendMessage.php b/GameEngine/Admin/Mods/sendMessage.php
index 8a6e98e3..0efaeb9d 100755
--- a/GameEngine/Admin/Mods/sendMessage.php
+++ b/GameEngine/Admin/Mods/sendMessage.php
@@ -10,12 +10,14 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/sysmessage.php b/GameEngine/Admin/Mods/sysmessage.php
index b26680ae..12d270ae 100644
--- a/GameEngine/Admin/Mods/sysmessage.php
+++ b/GameEngine/Admin/Mods/sysmessage.php
@@ -15,13 +15,15 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
session_start();
include_once("../../config.php");
include_once("../../Database.php");
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
- die("Access Denied");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/csrf.php b/GameEngine/Admin/csrf.php
index fc8a50ac..cfd70935 100644
--- a/GameEngine/Admin/csrf.php
+++ b/GameEngine/Admin/csrf.php
@@ -40,6 +40,49 @@ if (!function_exists('csrf_token')) {
return '';
}
+ /**
+ * Render a clean, self-contained error page and stop execution (issue #299).
+ *
+ * The admin Mods are POSTed to directly; when the admin session is missing
+ * (e.g. it was destroyed by a game logout that shares the same PHP session,
+ * or the form was served from a mobile cache with a stale/empty token) the
+ * old code stopped with a bare die('
Access Denied
') fragment, which
+ * shows up as an essentially blank page. This renders a proper, styled error
+ * with a way back into the panel instead.
+ */
+ function admin_deny(string $message, string $title = 'Access Denied', int $httpCode = 403): void
+ {
+ if (!headers_sent()) {
+ http_response_code($httpCode);
+ header('Content-Type: text/html; charset=UTF-8');
+ // Never let this error page be cached (it is session-dependent).
+ header('Cache-Control: no-store, no-cache, must-revalidate');
+ }
+
+ $safeTitle = htmlspecialchars($title, ENT_QUOTES, 'UTF-8');
+ $safeMsg = htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
+
+ echo ''
+ . ''
+ . '' . $safeTitle . '
';
+ exit;
+ }
+
/**
* Verify the CSRF token of a POST request.
* Stops execution with HTTP 403 if the token is missing or does not match.
@@ -51,9 +94,13 @@ if (!function_exists('csrf_token')) {
$stored = csrf_token();
if ($stored === '' || !hash_equals($stored, $submitted)) {
- http_response_code(403);
// Generic message — does not reveal details about the mechanism.
- die('
403 Forbidden
Invalid or missing security token. Please go back and try again.
');
+ admin_deny(
+ 'Your session may have expired or this page was loaded from cache. '
+ . 'Please reload the admin panel and try again.',
+ 'Security Check Failed',
+ 403
+ );
}
}
}